Win32/Rbot trojan - javaws.exe - launches Java Application Cache Viewer

Discussion in 'NOD32 version 2 Forum' started by DonaldsonsIT, May 30, 2006.

Thread Status:
Not open for further replies.
  1. DonaldsonsIT
    Offline

    DonaldsonsIT Registered Member

    I experienced an attack by win32 /Rbot trojan 'javaws.exe' infection. Warned by NOD32 of attempt to infect and offered quarantine and submit for analysis. Did not prevent the infected file running. This virus prevented internet communication and also disabled NOD32 on demand and in-depth scanner. I had to end the process in Task Manager before I could run NOD32 scanner which then found virus and offered deletion option.

    2 infections arrived 18 seconds apart - Win32/Rbot trojan followed by Win32/Qhost.1 trojan. 'javasw.exe' made 3 attempts to change the registry but Spybot Search and Destroy allowed me to deny the changes. (Qhost may have created files in System32 folder called QTFont.qfn and QTFont.for, but have not checked these out yet)

    Now, when I reboot the computer it launches 2 versions of "javaw.exe" which leaves 2 copies of the Java Application Cache Viewer running on my desktop. I have not located the source of the command to launch these - not in any Startup folder. I have checked the Registry for incidences of javaw.exe but only found in what look like valid Java spots.

    I have Java installed to run the ATO programme ECI. I also found files called QFont.for which I have removed from Windoes\System32 folder.
  2. Marcos
    Offline

    Marcos Eset Staff Account

    That's because you changed the default settings of AMON - it must be set to move newly created files to quarantine to prevent their execution.

    Send a log from Hijackthis along with a link to this thread to support[at]eset.com
    Last edited by a moderator: May 30, 2006
  3. DonaldsonsIT
    Offline

    DonaldsonsIT Registered Member

    I have reset my NOD settings as per Blackspear Extra Settings so all is now clean, but I am still having problems with the Java Application Cache Viewer launching twice at startup. Would this be the result of the infection (it started immediatley after the intrusion) or some other problemo_O?
  4. Blackspear
    Offline

    Blackspear Global Moderator

    Have you sent a HijackThis log as requested by Marcos?

    Cheers :D
  5. DonaldsonsIT
    Offline

    DonaldsonsIT Registered Member

    Do not have highjackthis installed. However, I have cleaned the following entries from the registry
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Each had a Java Environment setting to run javaws.exe. I removed these and now the Java Application Cache Viewer (javaw.exe) does not launch.

    QTFont.for and QTFont.qfn still get created each startup. Is this a problem?
  6. DonaldsonsIT
    Offline

    DonaldsonsIT Registered Member

    HighJackThis now installed

    Logfile of HijackThis v1.99.1
    Scan saved at 10:22:13 AM, on 31/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\StarMicronics\TSP100\Software\20060428\portemu.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\CAP3RSK.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\RMShop\RMShop.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
    C:\WINDOWS\system32\sistray.exe
    C:\Documents and Settings\All Users\Documents\WinZip\WZQKPICK.EXE
    C:\Program Files\palmOne\HOTSYNC.EXE
    C:\Program Files\hott notes 3\hottnotes.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\slrundll.exe
    C:\Program Files\HijackThis1991.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tpg.com.au
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [MYOB RMShop v2.5] C:\RMShop\RMShop.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunServices: [Java Environment] javaws.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
    O4 - Startup: hott notes 3.lnk = C:\Program Files\hott notes 3\hottnotes.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102378971281
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A16A060C-8358-4EBA-9A54-C2971665E4A5}: NameServer = 203.49.70.20 139.134.2.190
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\system32\dhcpclient.exe (file missing)
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\system32\dxdmain.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Port Emulator (Star) (PortEmulator) - Unknown owner - C:\Program Files\StarMicronics\TSP100\Software\20060428\portemu.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Sound Sservice Driver (Sound Service) - Rainbow Technologies Inc. - (no file)

    Is this OK?

    Thanks
  7. Blackspear
    Offline

    Blackspear Global Moderator

    This is fine, it is better these days to send it to support if requested, but Marcos will be awake in a few hours or so and will see this thread.

    Cheers :D
  8. Marcos
    Offline

    Marcos Eset Staff Account

    Just to make sure, what folder is the file javaws.exe located in? If it's in \windows\system32, then it's a legit file.
  9. auriell
    Offline

    auriell Registered Member

    At least above entries are not legit and I'am 100% sure it is malware or its remnant.
  10. flyrfan111
    Offline

    flyrfan111 Registered Member

  11. DonaldsonsIT
    Offline

    DonaldsonsIT Registered Member

    Thanks guys - the files were gone but there were Services entries (ImagePath) in the registry HKLM for both.

    What should I do about PowerReg Scheduler.exe?
  12. Blackspear
    Offline

    Blackspear Global Moderator

    I have found this thread here at Wilders, see if that helps... and this link as well.

    Cheers :D
Thread Status:
Not open for further replies.